How to make backend appservice accept the traffic only from the frontend appservice?

Question

How to make backend appservice accept the traffic only from the frontend appservice?

KT 190

Hi all,

I'm trying to secure my backend App Service by:

Blocking all public internet access
Only allowing access from my frontend App Service

What I've tried:

Added IP restrictions in the backend App Service's networking settings
Whitelisted the frontend App Service's outbound IP addresses
However, I'm still getting 403 errors when the frontend tries to access the backend

Questions:

What's the correct way to configure this setup?
Do I need to use App Service Environment (ASE) for the frontend to properly communicate with the backend's private endpoint?
If not using ASE, how can I make the frontend App Service successfully connect to the backend App Service through private endpoint?

Any guidance on the proper architecture and configuration would be much appreciated.

Hima Bindu 240 Reputation points

2024-10-21T06:42:44.4466667+00:00
Hi @KT,
Welcome to the Microsoft Q&A Platform!
To secure your backend App Service and ensure that it only accepts traffic from your frontend App Service, need to follow these steps

Use Virtual Network Integration

Frontend App Service: Enable VNet integration to allow access to the VNet. Integrate an Azure App Service with a Virtual Network

Backend App Service: Configure the backend App Service to use a private endpoint in the same VNet. Use Private Endpoints with Azure App Service

Configure Private Endpoints

Create a Private Endpoint: Set up a private endpoint for the backend App Service, ensuring it has a private IP address accessible only within the VNet. Create a Private Endpoint for App Service

DNS Configuration: Ensure the frontend can resolve the private endpoint's DNS name. Consider using Azure DNS or setting up a custom DNS zone. Configure DNS for Private Endpoints

Set Up Network Security Groups

Apply NSGs: Create an NSG for the backend App Service's subnet. Backend NSG Rules: Allow inbound traffic from the IP range or subnet of the frontend App Service. Create and manage NSGs

Deny All Other Traffic: Add rules to deny all traffic from other sources to enhance security.

IP Restrictions

Restrict IP Access: In the backend App Service settings, add IP restrictions for the frontend App Service’s outbound IPs. Restrict access to Azure App Service
Enable App Services Authentication so to validate requests coming to the backend from the frontend.

By following these things you should be able to configure your backend App Service securely to accept traffic only from your frontend App Service.
KT 190 Reputation points

2024-10-22T01:08:07.2933333+00:00

Thank you for your detail explanation, Hima Bindu!

I believe I did all the steps you mentioned, but the backend still keep returning 403 error.
Hima Bindu 240 Reputation points

2024-10-22T02:11:08.6933333+00:00
Hi @KT,
Thank you for your Response!
To securely configure your backend App Service to accept traffic only from your frontend App Service and avoid 403 errors, please follow these steps:

DNS Lookup:

Use the Kudu/SSH console in the frontend App Service:
nslookup <backend-app-service-url>

Private Endpoint Configuration:

Ensure the backend's private endpoint is linked to the correct VNet and is accessible only within that VNet.

VNet Integration:

Verify that the frontend App Service is integrated with the same VNet (or a peered VNet) as the backend's private endpoint.

NSG Rules:

Check the NSG on the backend's subnet to allow inbound traffic from the frontend's IP address or subnet.

Access Restrictions:

Confirm that the backend App Service has the frontend's outbound IPs whitelisted.

App Services Authentication:

Ensure the frontend App Service is correctly authenticating requests to the backend if authentication is enabled.
By addressing these areas, you should be able to establish secure communication between your frontend and backend App Services without encountering 403 errors.
If any further questions let me know.
KT 190 Reputation points

2024-10-22T11:25:13.9033333+00:00

Hi Hima Bindu,

Thank you for your reply. I did 1&2 and confirm they setup all correctly.

For 3, since I cannot choose the same subnet where the private endpoint is hosted, I choose another subnet in the Vnet.

For 4, I added the outbount IP(with servicetag) and IP address of AppService in NSG

For 5, yes, I did.

I did not add the logic mentioned in 6.

Could you please confirm if you configure before and it is successful?
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-23T06:44:50.65+00:00

Hi @KT,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
KT 190 Reputation points

2024-10-24T08:15:26.9366667+00:00

Hi Hima Bindu,

Thanks again for your help. It still does not work even after Managed Identity. Could you tell me where I configure wrongly?
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-24T08:43:46.4933333+00:00

Hi @KT,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
KT 190 Reputation points

2024-10-24T10:46:39.17+00:00

Hi Shree Hima Bindu Maganti (Quadrant Resource LLC),

I think I follow the steps you shared but it still does not work.

I suspect what https://learn.microsoft.com/en-us/answers/questions/1186571/how-to-give-accesss-to-frontend-webapp-and-block-p advised correct..... Could you please confirm if subnet 1 in my diagram can really reach out to subnet2 private endpoint?
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-24T17:57:07.9666667+00:00
Hi @KT,
Thanks for your response!
The statement from the link you've shared as a scenario where a frontend web app (hosted in Subnet 1) needs access to a backend web app via a private endpoint (hosted in Subnet 2), while blocking all public access to the backend.
To confirm whether Subnet 1 in your diagram can truly reach Subnet 2's private endpoint, and how it relates to your scenario.
Private Endpoint Access:

A private endpoint enables the backend service (in Subnet 2) to be accessible only via the Virtual Network (VNet).

The backend service is no longer exposed publicly but is still reachable from within the VNet using the private IP address of the private endpoint.

Can Subnet 1 Reach Subnet 2?

Subnet 1 can reach Subnet 2 if proper NSG rules, peering, and routing are configured.

Ensure the correct routing paths and security rules are in place to allow traffic to flow from Subnet 1 to the private endpoint in Subnet 2. To cross check with this points:

Revisit the VNet integration between frontend and backend.

Double-check NSGs and DNS settings.

Ensure the private endpoint configuration is correct and that Subnet 1 can access Subnet 2.

Verify App Service authentication logic to handle requests correctly.

With this setup, you should be able to isolate traffic between the frontend and backend through the private endpoint successfully.
If you need any further assistance let me know!
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-25T17:00:48.0333333+00:00

Hi @KT,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
KT 190 Reputation points

2024-10-28T08:25:02.5433333+00:00

Hi Shree Hima Bindu Maganti,

I put a VM in the same subnet(subnet 2 in my diagram) and found no issue for the vm to access to the backend app service. I put another vm in another subnet(subnet 3) in the same Vnet and found no issue for the vm to access to the backend app service. But the frontend app service cannot reach to the backend app service via subnet 1(vnet integration). I really don't know if it is really possible or not.
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-30T17:42:43.8833333+00:00
Hi @KT,

Thanks for your response!
The fact that both VMs in Subnet 2 and Subnet 3 can access the backend App Service's private endpoint suggests that VNet connectivity within the virtual network is configured correctly. However, App Service VNet integration is different from VM networking and has some restrictions, which may be why the frontend App Service (integrated via Subnet 1) cannot reach the backend App Service.

DNS Resolution: Private endpoints rely on Private DNS Zones (e.g., privatelink.azurewebsites.net) to resolve the backend's private IP. Ensure the Private DNS Zone is linked to the VNet and accessible from Subnet 1, potentially testing DNS from the Kudu console.

NSG and Routing: Confirm that Network Security Group (NSG) rules and route tables allow traffic from Subnet 1 to Subnet 2.

Testing: Use the Kudu Console in the frontend App Service to test connectivity or add a temporary host file entry to diagnose DNS issues.

Alternatives: Consider Azure Application Gateway for routing or an App Service Environment (ASE) if these limitations persist.
Useful Documentation Links

Private Endpoint DNS Configuration — This explains how to set up DNS zones to resolve private endpoint connections.

Azure App Service VNet Integration Overview — Detailed documentation on VNet integration options and limitations for App Services.

Private Endpoint for App Service — Guidance on configuring private endpoints for Azure App Services.
If you need any further assistance let me know!
KT 190 Reputation points

2024-10-31T00:50:18.9266667+00:00

Hi Shree Hima Bindu Maganti,

Thank you. I checked the connection with SSH from the frontend App Service and found it was getting 200. So you are right. It is connected. But when I try with the browser, it is still getting 403 error. I will accept both of the answers below and create another post about the issue. Thanks for your help!

Accepted answer

1 additional answer

Your answer

Hima Bindu 240 Reputation points

2024-10-21T06:42:44.4466667+00:00

Hi @KT,
Welcome to the Microsoft Q&A Platform!
To secure your backend App Service and ensure that it only accepts traffic from your frontend App Service, need to follow these steps

Use Virtual Network Integration

Frontend App Service: Enable VNet integration to allow access to the VNet. Integrate an Azure App Service with a Virtual Network

Backend App Service: Configure the backend App Service to use a private endpoint in the same VNet. Use Private Endpoints with Azure App Service

Configure Private Endpoints

Create a Private Endpoint: Set up a private endpoint for the backend App Service, ensuring it has a private IP address accessible only within the VNet. Create a Private Endpoint for App Service

DNS Configuration: Ensure the frontend can resolve the private endpoint's DNS name. Consider using Azure DNS or setting up a custom DNS zone. Configure DNS for Private Endpoints

Set Up Network Security Groups

Apply NSGs: Create an NSG for the backend App Service's subnet. Backend NSG Rules: Allow inbound traffic from the IP range or subnet of the frontend App Service. Create and manage NSGs

Deny All Other Traffic: Add rules to deny all traffic from other sources to enhance security.

IP Restrictions

Restrict IP Access: In the backend App Service settings, add IP restrictions for the frontend App Service’s outbound IPs. Restrict access to Azure App Service
Enable App Services Authentication so to validate requests coming to the backend from the frontend.

By following these things you should be able to configure your backend App Service securely to accept traffic only from your frontend App Service.
KT 190 Reputation points

2024-10-22T01:08:07.2933333+00:00

Thank you for your detail explanation, Hima Bindu!

I believe I did all the steps you mentioned, but the backend still keep returning 403 error.
Hima Bindu 240 Reputation points

2024-10-22T02:11:08.6933333+00:00

Hi @KT,
Thank you for your Response!
To securely configure your backend App Service to accept traffic only from your frontend App Service and avoid 403 errors, please follow these steps:

DNS Lookup:

Use the Kudu/SSH console in the frontend App Service:
nslookup <backend-app-service-url>

Private Endpoint Configuration:

Ensure the backend's private endpoint is linked to the correct VNet and is accessible only within that VNet.

VNet Integration:

Verify that the frontend App Service is integrated with the same VNet (or a peered VNet) as the backend's private endpoint.

NSG Rules:

Check the NSG on the backend's subnet to allow inbound traffic from the frontend's IP address or subnet.

Access Restrictions:

Confirm that the backend App Service has the frontend's outbound IPs whitelisted.

App Services Authentication:

Ensure the frontend App Service is correctly authenticating requests to the backend if authentication is enabled.
By addressing these areas, you should be able to establish secure communication between your frontend and backend App Services without encountering 403 errors.
If any further questions let me know.
KT 190 Reputation points

2024-10-22T11:25:13.9033333+00:00

Hi Hima Bindu,

Thank you for your reply. I did 1&2 and confirm they setup all correctly.

For 3, since I cannot choose the same subnet where the private endpoint is hosted, I choose another subnet in the Vnet.

For 4, I added the outbount IP(with servicetag) and IP address of AppService in NSG

For 5, yes, I did.

I did not add the logic mentioned in 6.

Could you please confirm if you configure before and it is successful?
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-23T06:44:50.65+00:00

Hi @KT,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
KT 190 Reputation points

2024-10-24T08:15:26.9366667+00:00

Hi Hima Bindu,

Thanks again for your help. It still does not work even after Managed Identity. Could you tell me where I configure wrongly?
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-24T08:43:46.4933333+00:00

Hi @KT,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
KT 190 Reputation points

2024-10-24T10:46:39.17+00:00

Hi Shree Hima Bindu Maganti (Quadrant Resource LLC),

I think I follow the steps you shared but it still does not work.

I suspect what https://learn.microsoft.com/en-us/answers/questions/1186571/how-to-give-accesss-to-frontend-webapp-and-block-p advised correct..... Could you please confirm if subnet 1 in my diagram can really reach out to subnet2 private endpoint?
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-24T17:57:07.9666667+00:00

Hi @KT,
Thanks for your response!
The statement from the link you've shared as a scenario where a frontend web app (hosted in Subnet 1) needs access to a backend web app via a private endpoint (hosted in Subnet 2), while blocking all public access to the backend.
To confirm whether Subnet 1 in your diagram can truly reach Subnet 2's private endpoint, and how it relates to your scenario.
Private Endpoint Access:

A private endpoint enables the backend service (in Subnet 2) to be accessible only via the Virtual Network (VNet).

The backend service is no longer exposed publicly but is still reachable from within the VNet using the private IP address of the private endpoint.

Can Subnet 1 Reach Subnet 2?

Subnet 1 can reach Subnet 2 if proper NSG rules, peering, and routing are configured.

Ensure the correct routing paths and security rules are in place to allow traffic to flow from Subnet 1 to the private endpoint in Subnet 2. To cross check with this points:

Revisit the VNet integration between frontend and backend.

Double-check NSGs and DNS settings.

Ensure the private endpoint configuration is correct and that Subnet 1 can access Subnet 2.

Verify App Service authentication logic to handle requests correctly.

With this setup, you should be able to isolate traffic between the frontend and backend through the private endpoint successfully.
If you need any further assistance let me know!
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-25T17:00:48.0333333+00:00

Hi @KT,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
KT 190 Reputation points

2024-10-28T08:25:02.5433333+00:00

Hi Shree Hima Bindu Maganti,

I put a VM in the same subnet(subnet 2 in my diagram) and found no issue for the vm to access to the backend app service. I put another vm in another subnet(subnet 3) in the same Vnet and found no issue for the vm to access to the backend app service. But the frontend app service cannot reach to the backend app service via subnet 1(vnet integration). I really don't know if it is really possible or not.
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-10-30T17:42:43.8833333+00:00

Hi @KT,

Thanks for your response!
The fact that both VMs in Subnet 2 and Subnet 3 can access the backend App Service's private endpoint suggests that VNet connectivity within the virtual network is configured correctly. However, App Service VNet integration is different from VM networking and has some restrictions, which may be why the frontend App Service (integrated via Subnet 1) cannot reach the backend App Service.

DNS Resolution: Private endpoints rely on Private DNS Zones (e.g., privatelink.azurewebsites.net) to resolve the backend's private IP. Ensure the Private DNS Zone is linked to the VNet and accessible from Subnet 1, potentially testing DNS from the Kudu console.

NSG and Routing: Confirm that Network Security Group (NSG) rules and route tables allow traffic from Subnet 1 to Subnet 2.

Testing: Use the Kudu Console in the frontend App Service to test connectivity or add a temporary host file entry to diagnose DNS issues.

Alternatives: Consider Azure Application Gateway for routing or an App Service Environment (ASE) if these limitations persist.
Useful Documentation Links

Private Endpoint DNS Configuration — This explains how to set up DNS zones to resolve private endpoint connections.

Azure App Service VNet Integration Overview — Detailed documentation on VNet integration options and limitations for App Services.

Private Endpoint for App Service — Guidance on configuring private endpoints for Azure App Services.
If you need any further assistance let me know!
KT 190 Reputation points

2024-10-31T00:50:18.9266667+00:00

Hi Shree Hima Bindu Maganti,

Thank you. I checked the connection with SSH from the frontend App Service and found it was getting 200. So you are right. It is connected. But when I try with the browser, it is still getting 403 error. I will accept both of the answers below and create another post about the issue. Thanks for your help!

Answer 1

Hi @KT,
Thank you for your Response!

Yes, configuring secure communication between frontend and backend App Services using private endpoints and VNets in Azure and it has been successfully implemented. When configured properly, it ensures secure access without exposing your services publicly.
However, authentication between frontend and backend is a key part of this setup. Without proper authentication (such as Managed Identity or OAuth), even when network restrictions are correctly set up, the backend might still reject requests, leading to 403 errors.

For reference, here's an official Microsoft document that can guide you through these steps:

Azure App Service VNet Integration
App Service Private Endpoint configuration
Azure Active Directory Authentication with App Service
These resources provide detailed steps for private endpoint setup, VNet integration, and authentication between services, helping ensure a secure and successful configuration.
If the answer is helpful, please click "Accept Answer" and kindly upvote it.

Answer 2

Hello , Welcome to MS Q&A

Answer to 1questions-->

To secure your backend App Service by blocking public internet access and allowing access only from your frontend App Service, follow these steps:

Restrict Incoming Source IP Addresses: Use network security groups (NSGs) to restrict incoming traffic to only allow access from the frontend App Service. Configure the NSG to permit traffic from the IP address of the frontend service.

Access Restriction Rules: Configure access restriction rules based on service endpoints. This ensures that only requests originating from the frontend App Service are allowed to reach the backend.

Private Endpoints: Consider using private endpoints for the backend App Service. This way, the backend can only be accessed from within the virtual network, effectively blocking public internet access.

Application Gateway: If you're using an Application Gateway, set it up to route traffic to the backend App Service, ensuring that only traffic from the Application Gateway is allowed.

By following these steps, you can effectively secure your backend App Service.

References:

**Answer to 2nd question-->**You do not necessarily need to use an App Service Environment (ASE) for the frontend to communicate with the backend's private endpoint. However, deploying your app in an ASE can simplify the process since the ASE is already integrated into your virtual network. This allows for secure connections to backend resources without additional configuration. If your backend resources are accessible within the same virtual network or through private endpoints, the apps in an ASE can connect to them directly.

References:

Answer to 3rd questions

To connect a frontend App Service to a backend App Service through a private endpoint without using an App Service Environment (ASE), you can utilize Azure Private Link. Here are the steps you can follow:

Create a Private Endpoint: Set up a private endpoint for your backend App Service. This will assign a private IP address from your virtual network to the App Service.

Configure Networking: Ensure that your frontend App Service is in the same virtual network or has access to the virtual network where the private endpoint is created. This can be achieved through VNet integration.

Disable Public Access: To enhance security, you can disable public network access to the backend App Service, ensuring that it can only be accessed through the private endpoint.

Test Connectivity: After setting up the private endpoint and configuring the networking, test the connectivity from the frontend App Service to the backend App Service to ensure that the connection is established correctly.

This approach allows you to securely connect your frontend and backend App Services without exposing them to the public internet.

References:

Please let us know if any further question

Kindly accept answer if it helps

Thanks

Deepanshu

KT 190 Reputation points

2024-10-21T11:19:37.35+00:00

Hi Deepanshukatara-6769,

Thank you for your advice.

1,Restrict Incoming Source IP Addresses: Use network security groups (NSGs) to restrict incoming traffic to only allow access from the frontend App Service. Configure the NSG to permit traffic from the IP address of the frontend service.

Unless I use ASE, I cannot deploy App Service to any Vnet and subnet.

Access Restriction Rules: Configure access restriction rules based on service endpoints. This ensures that only requests originating from the frontend App Service are allowed to reach the backend.

I did, but the backend returns 403.

Create a Private Endpoint: Set up a private endpoint for your backend App Service. This will assign a private IP address from your virtual network to the App Service.

I try to configure Vnet Integration in the frontend AppService to the subnet where a private endpoint is created, but it is grayout and I cannot choose the same subnet. I created another subnet and use that with whitelisting, but returns 403. Not really sure how to reach to prviate endpoint. Could you please advise how to configure? For the backend, it is all configured, but not sure how to configure the frontend side.

I believe APIM can help the backend App Service to accept only the traffic from the frontend. Thanks for your advice!
Deepanshu katara 16,720 Reputation points MVP Moderator

2024-10-22T11:46:54.1333333+00:00

Hi , regarding first point I would like to differ we can deploy appservice to vnet subnet with out ASE as well , please check link and image for ref

https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration

for third point please check this https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint

Share via

How to make backend appservice accept the traffic only from the frontend appservice?

1 additional answer

Your answer